CVE-2026-24955
Reflected XSS in Whizz Plugins β€ 1.9 Enables Code Injection
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fox-themes | whizz_plugins | From 1.0 (inc) to 1.9 (inc) |
| fox-themes | whizz_plugins | to 1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24955 is a medium severity Cross Site Scripting (XSS) vulnerability found in the WordPress Whizz Plugins Plugin versions up to 1.9.
This vulnerability allows an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, into a website. These scripts execute when visitors access the affected site.
Exploitation requires user interaction, such as a privileged user clicking a malicious link, visiting a crafted page, or submitting a form.
The issue was reported on November 26, 2025, and patched in version 2.0.0 of the plugin, released on February 9, 2026.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute malicious scripts on your website, which can lead to unauthorized redirects, display of unwanted advertisements, or other harmful HTML payloads.
Such attacks can compromise the integrity and trustworthiness of your website, potentially harming your users and damaging your reputation.
Exploitation requires user interaction, but once triggered, it can affect any visitor to the site.
Immediate mitigation or updating to the patched plugin version 2.0.0 or later is strongly recommended to prevent these impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows an attacker to inject malicious scripts via crafted links, pages, or forms that execute when visited or interacted with by a privileged user.
Detection can involve monitoring for unusual or suspicious HTTP requests containing script tags or suspicious payloads targeting the Whizz Plugins plugin endpoints.
While specific commands are not provided, common approaches include using web application firewalls (WAF) with rules to detect reflected XSS patterns, or employing tools like curl or wget to test for script injection by sending crafted requests and observing responses.
- Use curl to send a crafted request with a script payload to plugin endpoints and check if the script is reflected in the response.
- Monitor web server logs for suspicious query parameters containing script tags or encoded payloads.
- Deploy Patchstack mitigation rules which include detection capabilities for this vulnerability until patching is done.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to update the Whizz Plugins plugin to version 2.0.0 or later, where this vulnerability has been patched.
Until the update can be applied, use Patchstack mitigation rules which can block attacks exploiting this vulnerability.
Additionally, consider implementing or strengthening web application firewall (WAF) rules to detect and block reflected XSS attack patterns targeting this plugin.